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Abstract — Inductive and coinductive specifications are widely 
used in formalizing computational systems. Such specifications 
have a natural rendition in logics that support fixed-point defi- 
nitions. Another useful formalization device is that of recursive 
specifications. These specifications are not directly complemented 
by fixed-point reasoning techniques and, correspondingly, do not 
have to satisfy strong monotonicity restrictions. We show how to 
incorporate a rewriting capability into logics of fixed-point defini- 
tions towards additionally supporting recursive specifications. In 
particular, we describe a natural deduction calculus that adds a 
form of "closed-world" equality — a key ingredient to supporting 
Oh fixed-point definitions — to deduction modulo, a framework for 
extending a logic with a rewriting layer operating on formulas. 
We show that our calculus enjoys strong normalizability when the 
rewrite system satisfies general properties and we demonstrate 
its usefulness in specifying and reasoning about syntax-based 
descriptions. The integration of closed-world equality into de- 
' duction modulo leads us to reconfigure the elimination principle 
\^ for this form of equality in a way that, for the first time, resolves 
' issues regarding the stability of finite proofs under reduction. 
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I. Introduction 

Fixed-point definitions constitute a widely used specification 
device in computational settings. The process of reasoning 
about such definitions can be formalized within a logic by 
including a proof rule for introducing predicates from their 
definition, and a case analysis rule for eliminating such predi- 
cates in favor of the definitions through which they might have 
been derived. For example, given the following definition of 
natural numbers 



nat = T 



nat {s x) — nat x 



the introduction and elimination rules would respectively build 
in the capabilities of recognizing natural numbers and of 
reasoning by case analysis over them. When definitional 
clauses are positive, they are guaranteed to admit a fixed point 
and the logic can be proved to be consistent. Further, least 
(resp. greatest) fixed points can be characterized by adding an 
induction (resp. coinduction) rule to the logic. These kinds of 
fi-eatments have been added to second-order logic [13], [15], 
type theory [17] and first-order logics [14], [18], [20], [22]. 

The case analysis rule, which corresponds under the Curry- 
Howard isomorphism to pattern matching in computations, 
is complex in many formulations of the above ideas, and 
the (co)induction rules are even more so. By identifying and 
utilizing a suitable notion of equality, it is possible to give 
these rules a simple and elegant rendition. For example, the 



two clauses for nat can be transformed into the following form: 

nat X = X = V 3y. x — s y /\ nat y 

The case analysis rule can then be derived by unfolding a nat 
hypothesis into its single defining clause and using elimination 
rules for disjunction and equality. However, to obtain the ex- 
pected behavior, equality elimination has to internalize aspects 
of term equality such as disjointness of constructors; e.g., the 
branch should be closed immediately if the instantiation of 
X has the form s n. The introduction of this separate notion of 
equality, which we refer to as closed-world equality, has been 
central to the concise formulation of generic (co)induction 
rules [20]. Further, fixed-point combinators can be introduced 
to make the structure of (co)inductive predicates explicit rather 
than relying on a side table of definitions. Thus, the (inductive) 
definition of natural numbers may simply be rendered as 
ji (AN Ax. X = V 3y. x - s y A N y). Fixed point combinators 
simplify and generalize the theory, notably enabling mutual 
(co)induction schemes from the natural (co)induction rules [2], 
[3]. The logics resulting from this line of work, which we 
refer to as logics of fixed-point definitions from now on, 
have a simple structure that is well-adapted to automated 
and interactive proof-search [4], [5]. Moreover, they can be 
combined with features such as generic quantification that are 
useful in capturing binding structure to yield calculi that are 
well-suited to formalizing the meta-theory of computational 
and logical systems [10], [11], [16]. 

Logics featuring (co)inductive definitions can be made more 
powerful by adding another genre of definitions: recursive 
definitions based on inductive sets. A motivating context for 
such definitions is provided by the Tait-style strong normaliz- 
ability argument [19], which figures often in the meta-theory 
of computational systems. For the simply typed /}-calculus, 
this argument relies on a reducibility relation specified by the 
following clauses: 



red L e 
red (Ji — > f2) e 



sn e 

Ve'. red t\ e' D red t2 (e e') 



We assume here that i is the sole atomic type and that 
sn is a predicate that recognizes strong normalizability. The 
specification of red looks deceptively like a fixed-point defini- 
tion. However, treating it as such is problematic because the 
second clause in the definition does not satisfy the positivity 
condition. More importantly, the Tait-style argument does 



not involve reasoning on red like we reason on fixed-point 
definitions. Instead of performing case-analysis or induction 
on red, properties are proved about it using an (external) 
induction on types and the clauses for red mainly support 
an unfolding of the definition once the structure of a type is 
known [12]. Generally, recursive definitions are distinguished 
by the fact that they embody computations or rewriting within 
proofs rather than the case analysis and speculative rewriting 
that is characteristic of fixed-point based reasoning. 

In this paper, we show how to incorporate the capabiUty 
of recursive definitions into logics of fixed-point definitions. 
At a technical level, we do this by introducing least and 
greatest fixed points and the idea of closed-world equality 
into deduction modulo [7], a framework for extending a logic 
with a rewriting layer that operates on formulas and terms. 
This rewriting layer allows for a transparent treatment of 
recursive definitions, but a satisfactory encoding of closed- 
world equality (and thus fixed-point definitions) seems outside 
its reach. This dichotomy actually highlights the different 
strengths of logics of fixed-point definitions and deduction 
modulo: while the former constitute excellent vehicles for 
dealing with (co)inductive definitions, the rewriting capabiUty 
of the latter is ideally suited for supporting recursive def- 
initions. By extending deduction modulo with closed-world 
equality and fixed points, we achieve a combination of these 
strengths. This combination also clarifies the status of our 
equality: we show that it is compatible with a theory on terms 
and is thus richer than a simple "syntactic" form of equaUty. 

The main technical result of this paper is a strong nor- 
malizability property for our enriched version of deduction 
modulo. The seminal work in this context is that of Dowek and 
Werner [8], who provide a proof of strong normalizability for 
deduction modulo that is modular with respect to the rewriting 
system being used. In the course of adapting this proof to 
our setting, we rework previous logical treatments of closed- 
world equality in a way that, for the first time, lets us require 
that proofs be finite without sacrificing their stability under 
reduction. For the resulting system, we are able to construct a 
proof of strong normalizability which follows very naturally 
the intended semantics of fixed-point and recursive definitions: 
the former are interpreted as a whole using a semantic fixed- 
point, while the latter are interpreted instance by instance. 
Regarding the normalization of least and greatest fixed-point 
constructs, our work adapts that of Baelde [3] from linear 
to intuitionistic logic. We use a natural deduction style in 
presenting our logic that has the virtue of facilitating future 
investigations of connections with functional programming. 

The rest of the paper is structured as follows. In Section II, 
we motivate and present our logical system. Section III de- 
scribes reductions on proofs. Section IV provides a proof of 
strong normalizability that is modular in the rewrite rules being 
considered. We use this result to facihtate recursive definitions 
in Section V and we illustrate their use in formalizing the 
meta-theory of programming languages. Section VI discusses 
related and future work. 



II. Deduction Modulo with Fixed-Points and Equality 

We present our extension to deduction modulo in the form 
of a typing calculus for appropriately structured proof terms. 
This gives us a convenient tool for defining proof reductions 
and proving strong normalizabiUty in later sections. 

A. Formalizing closed-world equality 

We first provide an intuition into our formalization of 
the desired form of equality. The rule for introducing an 
equality is the expected one: two terms are equal if they are 
congruent modulo the operative rewriting relation. Denoting 
the congruence by =, this rule can simply be 

iTTT?^"^ 

The novelty is in the elimination rule that must encapsulate the 
closed-world interpretation. This can be captured in the form 
of a case analysis over all unifiers of the eliminated equality; 
the unifiers that are relevant to consider here would instantiate 
variables of universal strength, called eigenvariables, in the 
terms. One formulation of this idea that has been commonly 
used in the literature is the following: 

r\-t = f { re, h pg, i Oj e csujt, f) } 
TVp 

The notation csu{t,t') is used here to denote a complete set of 
unifiers for t and f modulo =, i.e., a set of unifiers such that 
every unifier for the two terms is subsumed by a member of 
the set. The closed world assumption is expressed in the fact 
that F h P needs to be proved under only these substitutions. 
Note in particular that the set of right premises here is empty 
when t and /' are not unifiable, i.e., have no common instances. 

The equality eUmination rule could have simply used the 
set of all unifiers for t and /'. Basing it on csus instead allows 
the cardinahty of the premise set to be controlled, typically 
permitting it to be reduced to a finite collection from an 
infinite one. However, a problem with the way this rule is 
formulated is that this property is not stable under substitution. 
For example, consider the following derivation in which x and 
y are variables: 

p x,x = y\- x = y (px,x^ y)[y/x] h jp y)[y/x] 
p x,x - y V- p y 

If we were to apply the substitution \tilx,t2ly\ to it, the 
branching structure of the derivation would have to be changed 
to reflect the nature of a csu for t\ and 12, this could well be an 
infinite set. A related problem manifests itself when we need 
to substitute a proof n for an assumption into the derivation. If 
we were to work the proof substitution eagerly through each 
of the premises in the equahty elimination rule, it would be 
necessary to modify the structure of n to accord with the term 
substitution that indexes each of the premise derivations. In the 
context of deduction modulo, the instantiation in n can create 
new opportunities for rewriting formulas. Since the choice of 
the "right" premise cannot be determined upfront, the eager 
propagation of proof substitutions into equahty eliminations 



can lead to a form of speculative rewriting which, as we shall 
see, is problematic when recursive definitions are included. 

We avoid these problems by formulating equality elimina- 
tion in a way that allows for the suspension of term and proof 
substitutions. Specifically, this rule is 

r \-t0 = t'e r \-r0 { re,- \- POj \ e,- e csujt, f) } 

F hPO 

Here, P h TO means that there is a derivation of T' \- Q 
for any Q G TO. This premise, that introduces a form of cut, 
allows us to delay the propagation of proof substitutions over 
the premises that represent the case analysis part of the rule. 
Notice also that we consider csm for t and /' and not tO and t'O 
over these premises, i.e., the application of the substitution is 
also suspended. Of course, these substitutions must eventually 
be applied. Forcing the application becomes the task of the 
reduction rule for equahty that also simultaneously selects the 
right branch in the case analysis. 

Our equality elimination rule also has the pleasing property 
of allowing the structure of proofs to be preserved under 
substitutions. For example, the proof 

p x,x — y \- X — y px,x — y\-px {p x)[y/x] h {p y)[y/x] 
p x,x = y\- py 

under the substitution := [h/x,t2/y] becomes 

r h {X r h {p x)d (/; .x)[y/.x\ h (/; .v)|>Vx] 

T\-pt2 

where T = {p ti, h=t2 ). 

B. The logic fiNJ modulo 

The syntax of our formulas is based on a language of typed 
/l-terms. We do not describe this language in detail and assume 
only that it is equipped with standard notions of variables and 
substitutions. We distinguish o as the type of propositions. 
Term types, denoted by y, are ones that do not contain o. 
Predicates are expressions of type 71 —> . . . ^ jn o. Both 
formulas and predicates are denoted by P or Q. We use p or q 
for predicate variables and a for predicate constants. Terms are 
expressions of term types, and shall be denoted by t, u or v. We 
use x,y or z for term variables. All expressions are considered 
up to yS- and 77-conversion. In addition to that basic syntactic 
equality, we assume a congruence relation =. In Section V, we 
will describe conditions on such a congruence relation that are 
suflicient for ensuring the consistency of the logic. 

Definition 1. A unifier of u and v is a substitution such 
that uO s vO. A complete set of unifiers for u and v, written 
csu(m, v) is a set { 0/ ), of unifiers ofu and v, such that any other 
unifier of u and v is of the form OiO' for some i and 0' . Note 
that complete sets of unifiers may not be unique. However, this 
ambiguity will be harmless in our setting. 

Definition 2. Formulas are built as follows: 

P ::= T \ ±\P ^ Q\P aQ\Pw Q \ Vx.P \ 3x.P \ 
t = t'\(j.iBi)\iyBi)\ipt)\iai) 



Here, A, V and D are connectives of type o ^ o ^ o, equality 
has type y ^ y ^ o and quantifiers have type (y ^ o) —> 
o for any y. Expressions of the form a t are called atomic 
formulas. The least and greatest fixed point combinators p 
and V have the type (r ^ t) — > t for any t of the form 
y o. The first argument for these combinators, denoted by 
B, must have the form ApA^.P called a predicate operator 
Every predicate variable occurrence must be within such an 
operator, bound by the first abstraction in it. An occurrence of 
p in a formula is positive if it is on the left of an even number 
of implications, and it is negative otherwise and ApAJc.P is 
said to be monotonic (resp. antimonotonic) if p occurs only 
positively (resp. negatively) in P. We restrict the first argument 
of fixed-point combinators to be monotonic operators. 

We now introduce a language of proof terms, and define 
type assignment. The terms and typing rules for all but the 
equality and fixed point cases are standard (e.g., see [8]). 
Following the Curry-Howard correspondence, (proof-level) 
types correspond to formulas, typing derivations correspond to 
proofs, and the reduction of proof terms corresponds to proof 
normalization. The guidelines determining the form of the 
new proof terms are that all information needed for reduction 
should be included in them and that type checking should be 
easily decidable. The details of our choices should become 
clear when we present the typing rules. 

Definition 3. Proof terms, denoted by n and p, are given by 
the following syntax rules: 

n ::= a\{)\6An) 

I Aa.n I {n n') 

I <;r,;7r') I proji(;r) I proj2(7r) 

I ini(7r) I in2(7r) | 6y{nu a.n2,p.ni) 

\ Ax.TT I (tT t) 

\ {t, n) I 63{n, x.a.n') 

I refl I ^=(r, 0, (T, u, V, P, n, {O-.ndd 

I fi{B,f,n) I S^in, ^.a.n') 

I vin,a.n')\6yiB,f,n) 

Here and later, we use a, yS, y to denote proof variables, and 

cr to denote substitutions for proof variables. The notation 
{0'^ .ni)i in the equality elimination construct stands for a finite, 
possibly empty, collection of subterms. In the expression O.n, 
all free variables of n must be in the range of the substitution 

0. Finally, the notation x.n or a.n denotes a binding construct, 

1. e., X (resp. a) is bound in n. As usual, terms are identified 
up to a renaming of bound variables, and renaming is used to 
avoid capture when propagating a substitution under a binder 

Typing judgments are relativized to contexts that are as- 
sigrmients of types to finite sets of proof variables. We denote 
contexts by F, written perhaps with subscripts and superscripts. 

Definition 4. A proof term n has type P under the context T 
ifT\-n:Pis derivable using the rules in Figure 1. We also 



P=Q,(a:Q)€r 



r h ;r : ± 



r\-a:P ^'v-^^ ri-<):P Ti- 6^{n) : P 

T,a:Pihn:P2 T^n.Q^P F ^ n' : Q 
r h Aa.n : P ' ^ T h ;r ;r' : P 

r h (;ri, ;t2) : P T h pro/i(;r) : P'- 

r ^ : P, o _ o „ o r h ;r : Pi V P2 r,a : Pi h ;ri : P r,yS : P2 h ;r2 : P 



T h jn,(;r) : P T h JvC^r, a.nu^.ni) : P 



r h Ax.n : P Vvnf.P 
Yvn: Q[t/x] „ _ ^ r\-7T:3x.Q r,a:Qhn':P 

T'\-n:ue = ve r^a-.TO (rff. \- TTi : QffX 
P^it^t) F^-^7T^7^ ^ ' \, ' ' ie^)i e csuiu, V), P^Q6 



Threfl: P ' ' F h ^=(r, 9, a, u, v, Q, n, {e'-.ndi) : P 

ri-;r:B(;uB)f T h ;r : B /* T, a : B 5 x I- ;r' : 5 f 
^ P = uBt p = f: t 

r h niB, tn):P r h 5^(;r, x.a.n') : P ^ - ^ i 

V\-n:StT,a:Sxi-n':BSx ^ T^nwBt „ „ . „x ^ 
P = vBf ^ P = B{vB)t 

Variables bound in proof terms are assumed to be new in instances of typing rules, i.e., they should not occur free in the 
base sequent. Specifically, a, p, x axe assumed to be new in the introduction rules for implication, universal quantification and 
greatest fixed-point, as well as elimination rules for disjunction, existential quantification, equality and least fixed-point. 

Fig. 1. iMJ: Natural deduction modulo with equality and least and greatest fixed points 



say that F' h cr : F holds if F and cr have the same domain 
and F' h a{a) : F(ar) holds for each a in that domain. 

C. Expressiveness of the logic 

The logic /zNJ modulo inherits from logics of fixed-point 
definitions a simplicity in the treatment of (co)inductive sets 
and relations and from deduction modulo the ability to blend 
computation and deduction in the course of reasoning. We 
illustrate this aspect through a few simple examples here. 

Natural numbers may be specified through the following 
least fixed point predicate: 

nat = ju (AN Ax. x = V 3y. x = s y A N y) 

SpeciaUzed for this predicate, the least fixed point rules 
iimnediately give rise to the following standard derived rules: 

F h nat x 

F h nat F h nat (s x) 

T\-natx FhPO T,P y\- P {s y) 

— ^ y new 

FhPx ^ 

Having natural numbers, we can easily obtain the rest of 
Heyting arithmetic. Addition may be defined as an inductive 
relation, but the congruence also allows it to be defined more 
naturally as a term-level function, equipped with the rewrite 
rules Q + y y and {s x) + y s {x + y). Treating it in 
the latter way allows us to exploit the standard dichotomy 
between deduction and computation in deduction modulo to 
shorten proofs [6]. For example, (s 0) + (s 0) = s (s 0) can be 



proved in one step by using the fact that the two terms in the 
equation are congruent to each other. More general properties 
about addition defined in this way must be conditioned by 
assumptions about the structure of the terms. For instance, 
commutativity of addition should be stated as follows: 

VxV}'. nat X d nat yDx + y= y + x 

This proposition can be proved by induction on the nat 
hypotheses, with the computation of addition being performed 
implicitly through the congruence when the structure of the 
first summand becomes known. Note that we do not have to 
know how to compute csus modulo arithmetic to build that 
derivation: all that is needed is the substitutivity principle 
VxVy. x = y^PxDPy which only involves shallow 
unification. 

in. Reductions on Proof Terms 

As usual, we consider reducing proof terms in which an 
elimination rule for a logical symbol immediately follows 
an introduction rule for the same symbol. Substitutions for 
both term-level and proof-level variables play an important 
role in describing such reductions. They are defined as usual, 
extended as shown on Figure 2 for equality and for the least 
and greatest fixed-point constructs. Note that substitutions are 
suspended over the parts representing case analysis in the 
equahty elimination rule as discussed earher. The next two 
lennmas show that this treatment of substitution is coherent. 



((5=(r, ff, cr, u, V, P, n, .ndi))e = J=(r, ffO, crO, u, v, P, nO, {ff{.ndi) 
{6={T, e',cr',u, V, P, n, (0^' .ni)i))cr S=iT, ff, (fcr, u, v, P, na, {&■ .ndd 

(4i{B,t,n))e ^= niBO, f0,7r0) iS^in,^.a.n'))e ''= d^inOj.a.n'O) 

def -> def 

ifiiB,t,n))cr = ixiB,t,ncr) {S^in,^.a.n'))cr = 5^i{no;^.a.n'(f) 

{v{nj.a.n'))e ''= v{nej.a.n'e) iSyiB,f,n))0 6y{Be,^,n6) 
{v{n,^.a.n'))cr ^= v{ncr,£.a.n'cr) {6v{B,t,n))cr ^= 6yiBj,ncr) 

Fig. 2. Term and proof-level substitutions into equality, least and greatest fixed-point proof terms 



Lemma 1. Term-level substitution preserves type assignment: 
T\-n:P implies FehnO: PO. 

Proof: This is easily checked by induction on the typing 
derivation. An interesting case is that of equality eUmination. 
Consider the following derivation: 

r h TT : iiO' = vO' r' h (F : VO' (nr h /r, : P'ff[)i 

r h 6={T, ff, a, u, V, P', n, {&■' .ndd : P ^ = 

By the induction hypothesis, Y'0 h nO : u6'0 - v6'6 and Y'6 H 
crO : TO' 6 have derivations. From these we build the derivation 

re h no : uffo = vffo re h ae re's (re;' h nt p'ff{)i 
re h 6={Y, ffe, o-e, u, v, P',ne, {ff^-ndd pe 

■ 

Lemma 2. IfY\-n:Pandr\-(T:Y then r \- ncr : P. 

Proof: This is shown also by induction on the typing deriva- 
tion. An interesting case, again, is that of equality elimination. 
Consider the following derivation: 

r\-7r:ue = ve r i- o-' : r'e (r"6^ i- m : p'e\)i 

r h (5=(r", e, cf, u, v, P', n, (6K.;r,).) : P ^ " ^'^ 

By the induction hypothesis, T' h ncr : uO = vO and F' h cr'cr : 
r'e have derivations. From this we build the derivation 

r \-no-:ue = ve r h o-v : r'e {r'e'. h tt,- : p'e'^)i 

r h 6=ir',e,cr'a;u,v,P',no;ie'^.ni)i) : P 

■ 

The most interesting reduction rules are those for the least 
and greatest fixed-point operators. In the former case, the rule 
must apply to a proof of the form 

r\-n: B(JxB)^ 
T \- niBXn): nBf T,a:BS £\-n' -.S £ 
T h 6u,{n{B,tn)J.a.n') : S t 

This redex can be eliminated by generating a proof of F h 5 f 
directly from the derivation of Y \- n : B {p. B) t: doing this 
effectively means that we move the redex (cut) deeper into 
the iteration that introduces the least fixed point. To realize 
this transformation, we proceed as follows: 

• Using the derivation n' , we can get a proof of S t from 

B S t Thus, the task reduces to generating a proof of 

B S f from B (jj B) 



• Using again n', we get a derivation for F,j8 : fi B ^ \- 
6fi(J3, x.a.n') : 5 x. If we can show how to "lift" this 
derivation over the operator Ap.iB p t), we obtain the 
needed derivation of B S f from n : B{jxB)t 
For the latter step, we use the notion of functoriality [13]. For 
any monotonic operator B, we define the functor Fb for which 
the following typing rule is admissible: 

Y,a:P^\-T::P'^ 
Y h FB{ta.n) :iBP)D (B P') 

Definition 5 (Functoriality, Fb(7t)). Let B be an operator of 
type (')'—> o) —> o, and n be a proof such that a : P ^ \- n : 
P' ^. We define Fg(x.a.n) of type B P o B P' for a monotonic 
B and Fgi^.a.n) of type B P' d B P for an antimonotonic B 
by induction on the maximum depth of an occurrence of p in 
B p through the rules in Figure 3. In these rules, * denotes 
any polarity (+ or —) and — * denotes the complementary one. 
We write Fg(x.a.n) more simply as Fsix.a.Tf). 

Checking the admissibiUty of the typing rule pertaining to 
Fb is mostly routine. We illustrate how this is to be done by 
considering the least fixed point case in Figure 4; the greatest 
fixed point case is shown in Figure 7 in the appendices. 

The full collection of reduction rules is presented in Fig- 
ure 5. Note that the reduction rule for equality is not deter- 
ministic as stated: determinism can be forced if needed by 
suitable assumptions on csus or by forcing a particular choice 
of and 0" in case of multiple possibilities. 

Tlieorem 1 (Subject reduction). IfY\-n:P and n n' then 
Yhn' :P. 

Proof: This follows from the above substitution lemmas. 
For example, consider the equality case. If uO = vO then 
64Y',e,o-,u,v,P,refl,(e'..n'^i) n'-ff'tr where 6 = e'^O". We 
have a derivation of Y'O". \- n'. : PO'.. Hence, by applying 0" 
and using Leirnna 1, Y'O \- n'.e" : PO must have a derivation. 
Finally, since Y \- o- :Y'e has a derivation, by Lemma 2 there 
must be one for F h 7r|0"cr : P6. ■ 

Proposition 1. For any proof terms n, n' and p and any term 
t, n ^ n' implies n[pla\ — > n'[pld\ and n\tlx\ — > 7f\tlx\. 

Proof: Both implications are easily checked. ■ 
A proof term is normal if it contains no redexes and it 
is strongly normaUzable if every reduction sequence starting 



^% q(^-^-^) - '^■P if P does not occur in Q 
Ap.iFl^ita.n) {proj^m,Fl<,g.a.n) (pmj^m) 
A/3.6v(J3, y.iniiFg^ix.a.n) y),y.in2{FgJ^x.a.n) y)) 
Afi.Ay.Fl^{ta.n) (J3 {F-*{ta.n) y)) 
A/3.Ax.Fl^ j^^j£a.n) (p x) 
Af3.63(fi,x.y.{x, Flp g^^ix.a.n) y}) 
A/3.6^(J3j.y.n{B P',f,F;^^^^^^^,^j/£a.;r) y)) 
Ap.vifi, ^.y.Fl^ ^ ^ P)) ^,(^^-«-^) SAB P, f, r)) 

Fig. 3. Definition of funetoriality 

r,/? : /y (B PjLy.BP (p (B P')) x' h F,^,j, ,{.ta.n) y : B P' (/; {B P')) f 

T,j5:ii{BP)t\-p:ii{B P)t r,p : njB P)t,y : B P (j^jB P'))^\-fiiB P',^,...) : n{BP')^ 

Y,l3:n{BP)th6^(fi,...):n{B P')t 

Fig. 4. Typing funetoriality for least fixed-points 

{Aa.n) n' — > n{n'la] projidni, 7:2}) —> nt 6y(ini(n), a.ni, 0.712) — > 7Ti[7T/a] 
(Ax.Tr) t — > 7:[t/x] 63i{t,7r),x.a.7:') — > ;r'[?/x][;r/ar] 
5^0u(B,r>),£a.;r') ^ ;r'[r/f|[(F^^.B^,<£j8.<5^08,£a.7r')) ;r)/a] 
dv(B,f>(7r,x.a.7r')) F,p.g^,-<-?.;6.v(/3. .f.o-.;!')) (;r'[r/f|[;r/a]) 

<5=(r, e, 0-, u, V, P, refl, {O^.TTdd th&'o- where Q = 

Fig. 5. Reduction rules for yuNJ proof terms 



F\ ix.a.ii) = Aa.7r[t/x] 

Ap.pt 

^*Ap.(Bi p)D(B2 p) (•^•«-^) = 

Ap.yxXB pxp > 
F\ -, /o .(x.a.jr) = 

,lp.3j;.(B pxy ' 
Pl.^iBp^f^-"-''^ = 



from it terminates in a normal proof term. The set of strongly 
normalizable proof terms is denoted by SN. The normal- 

izability of proof terms can be coupled with the following 
observation to show the (conditional) consistency of the logic. 

Lemma 3. If = is defined by a confluent rewrite system that 
rewrites terms to terms and atomic propositions to proposi- 
tions, then \- n : ± is not derivable for any normal n. 

Proof: This standard observation is not affected by the 
rewriting layer, since ± cannot be equated with another logical 
connective under the assumptions on =, and it is not affected 
either by our new constructs, for which progress is ensured: 
eliminations followed by introductions can always be reduced. 
More details may be found in Appendix I. ■ 

IV. Strong Normalizability 

In a fashion similar to [8], we now estabhsh strong normal- 
izabiUty for proof reductions when the congruence relation 
satisfies certain general conditions. The proof is based on the 
framework of reducibility candidates, and borrows elements 
from earlier work in linear logic [3] regarding fixed-points. 

Deiuiition 6. A proof term is neutral ifl" it is not an introduc- 
tion, i.e., it is a variable or an elimination construct. 

Definition 7. A set R of proof terms is a reducibility candidate 
if (1) RQ SN; (2) 71 €R and 7T 7t' implies tt' g R; and (3) 



if 71 is neutral and all of its one-step reducts are in R, then 
7: €R. We denote by C the set of all reducibility candidates. 

Conditions (2,3) are positive and compatible with (1) so that 
for any subset 5 of SN there is a least candidate containing 
S . We refer to the operation that yields this set as saturation. 
Reducibility candidates, equipped with inclusion, form a com- 
plete lattice: the intersection of a family of candidates gives 
their infimum and the saturated union gives their supremum. 
Having a complete lattice, we can define least and greatest 
fixed points of mono tonic operators. The ordering and the 
observations about it lift pointwise for functions from terms to 
candidates, which we call predicate candidates. We use X and 
J/ ambiguously to denote candidates and predicate candidates. 

Deiuiition 8. A pre-model M is an assignment of a function 

a from \yi \ X . . . X \y„\ to C to each predicate constant a of 
type 71 — > . . . yn — > o. Here, \y\ denotes the set of (potentially 
open) terms of type y. 

Definition 9. Let M be a pre-model, let P be a formula and 

let & be a context assigning predicate candidates of the right 
types to at least the free predicate variables in P. We define 
the candidate \Pf', called the interpretation of P, by recursion 
on the structure of P as shown in Figure 6. 

To justify this definition, we show simultaneously by an 
induction on P that \Pf' is a candidate and that it is monotonic 



\±f = |T|^ = |m = vf ^SN \pt\... t„f = &{p){t\, ...,t„) |fl fi . . . t„f = a{h, ...,t„) 

\PDQf = {n &SN \n ^' Aa.ni implies ni[n' /a] €\Qf for any n' €\Pf } 

\PAQf = [n€SN\n^* {m , ni) implies m € \Pf and €\Qf} 

|Pi V P2f = {neSNln^* iriiin') implies n' e \Pif } 

|Vx. Pf = {n&SNln^* Ax.n' implies n'[t/x] e |P[//x]|^ for any f } 

\3x. Pf = {n€SN\n^* {t, n'} impUes n'[t/x] € IPit/x'lf } 

IpBii^ = lfp(4>)(6 where 4>(?0 ^ i* ^ { n e SN \ n ^* p(B, ?, n') implies n' e |Bp?p-^<^'"^> 

|vB/p = where 0(^) = ? t-^{n\ 6y{B, f, n) e \Bpff^^P'^'> } 

Fig. 6. Interpretation of formulas as candidates 



(resp. anti-monotonic) in &{p) for any variable p that only 
occurs positively (resp. negatively) in P\ the latter two facts en- 
sure that the fixed points assumed in the definition actually ex- 
ist, anti-monotonicity being needed because of the covariance 
in impUcation formulas. Preservation of (anti)monotonicity 
and satisfaction of the conditions for reducibility candidates 
are readily verified in all but the fixed point cases. For the 
least fixed point case, \p B is easily seen to be a candidate 
provided it is well-defined, i.e., if Ifpi^') exists for (fi as in 
the definition. But this must be so: the induction hypothesis 
appUed to Bp i* ensures that is a monotonic mapping, 
hence it has a least fixed point in the lattice of predicate 
candidates. For monotonicity, consider fi and fi' differing only 
on a variable p that occurs only positively in pBt, with 
S(p) c fi'(p). Let \pBif' = lfp((f>')t'. Unfolding and using the 
induction hypothesis, we have (p(X) c (p'iX) for any candidate 
X, and in particular ^(\pBtT) £ cf>'(\iuB = lyuBfp'. 
The least fixed point being contained in all prefixed points, 
we obtain the expected result: {fiBif' = ljpi(p) £ li^Btf''. 
Antimonotonicity is estabUshed in a synnmetric fashion. The 
treatment of the greatest fixed point case is similar. 

Notation 1. If P is a predicate of type y ^ o, \Pf' denotes the 
mapping f* i-> \Pt\^\ If B is of type (f ^ o) —> o, {Bf' denotes 
the mapping X \B pf'+'^p-^) and if B is a predicate operator 
of type (y ^ a) ^ y ^ a, \Bf' denotes the mapping X 
f* \B p if'^'^P'^K For conciseness we write directly \BX^^ for 
\Ap. BpipX or, equivalently, IBfXf. 

Lemma 4. Interpretation commutes with second-order substi- 
tution: \B[Plp]f = \Bf+''P'\Pf). 

Proof: Straightforward, by induction on B. ■ 
We naturally extend the interpretation to typing contexts: 
if r = (ori : Pi,...,a„ : P„), [Fp = (ori : |PiP,...,a„ : 
\Pnf')- We also write cr e |F|^ when cr is of the form 
[n\la\, . . .,nnlan} with tt; € for all /. 

Definition 10. If n is a proof term with free variables 
ai,. ..,a„ and }f,X\,...,X„ are reducibility candidates, we 
say that n is {a\ : Xi, . . . ,an '■ Xn \- J/)-reducible ifjT[jT'./ai]i e 
if for any (n'^i e (<Y,)i- When it is not ambiguous, we may 
omit the variables and simply say that n is {X\, ...,X„ \- J/)- 
reducible. 

Definition 11. A pre-model M is a pre-model of = iff it ac- 
cords the same interpretation to formulas that are congruent. 



In the rest of this section, we assume that AI is a pre-model 
of the congruence, and we show that if F h ;j- : P has a proof 
then n is (|Fp h |P|^)-reducible. In order to do so, we prove 
adequacy lenmias which show that each typing rule can be 
simulated in the interpretation. 

Lemma 5. The following properties hold for any context fi. 

(D) -Ifn is (or : \Pf h \Qf)-reducible, 
then Aa.n e |f D Qf. 

- Ifn€\PD Qf and n' e \Pf, then n n' € \Qf. 

(A) - Ifm € |Pip and m € then {nuTti) e |Pi APif. 

- Ifn€\PiAP2f, 

then proji(;r) e |Pi|^ and projjC:^) e {Pif. 
(V) - Ifn& \Pif for i € {1,2}, then in,(^) e |Pi V PjI^. 

- //tt e |Pi V Ptf and each ji; is (or : |P,p h \Qf')- 
reducible, then 6^(71, a.ni,a.n2) £ {Qf. 

(T) - The proof () belongs to |Tp. 

(±) - If Tie \±f, then SJtt) e \Pf for any P. 

(V) - Ifnltlx^ € \P[t/x]ffor any t, then Ax.n 6 |Vx. Pf. 

- Ifn€ |Vx. Pf, then n t e \P[tlx]f. 
(3) - Ifji 6 \P[tlx]f, then (f,7r) € |3x. Pf. 

-Ifn€ \3x. Pf and tt'U/x] is (a : \P[t/x]f h \Qf)- 
reducible for any t, then 63(7T,x.a.n') e \Qf. 
(=) - refl € |f = tf. 

- If n € \te = t'ef, a € \ref and n\& is 
(|F9i6l'|^ h IPOifffyreducible for any i and ff, then 
5={T, 0, cr, t, f, P, TT, {0i.n,)d e \P0f. 

(p) -Ifn€ \B(ptB)ii^, then p{B,t,n) e |//Bff^. 
(v) - Ifne IvB^T, then 6y{B, f,n) e \BivB)^. 

Proof: These observations are proved easily using stan- 
dard proof techniques on candidates. We illustrate only a 
few cases here; more details may be found in Appendix I. 
For the case of least fixed point introductions, we have 
lliBii^ = lfp((f>)(i^ = 4>(\pBf)(^ by Definition 9, and thus 
lyuBfp = [p €SN \p ^* p{BXn') implies n' e \B(pB)if } 
by Lemma 4, from which it is easy to conclude. Similarly, we 
observe that \vBif - {n \ 6y{B,t,n) e \B(vB)if' ] from which 
the greatest fixed point elimination case follows immediately. 
Finally, the equality elimination case is proved by induction 
on the strong normalizability of the subderivations n, cr and 
In order to show that a neutral term belongs to a candidate, 
it suffices to consider all its one-step reducts. Reductions 
occurring inside sub terms are handled by induction hypothesis. 
We may also have a toplevel redex when t0 = t'0 and n = refl. 



reducing to 710 cr where 0' is such that OiO' = 0. By hypothesis, 
Uiff is iWOifff I- |/'6'/6''|^)-reducible and cr € \Tef = ITOiO'f', 
and thus we have 7r,0'cr e \P0f' as expected. ■ 

Although adequacy is easily proved for our new equality 
formulation, a few important observations should be made 
here. First, the proof crucially relies on the fact that we are 
considering only syntactic pre-models, and not the general 
notion of pre-model of Dowek and Werner where terms may 
be interpreted in arbitrary structures. This requirement makes 
sense conceptually, since closed-world equality intemalizes 
the fact that equaUty can only hold when the congruence 
allows it, and is thus incompatible with further equaUties that 
could hold in non-trivial semantic interpretations. Second, the 
suspension of proof-level substitutions in equality eUnoination 
goes hand in hand with the independence of interpretations 
for different predicate instances, which in tum is necessary to 
interpret recursive definitions. Indeed, when applying a proof- 
level substitution cr e |rp on an eager equality elimination, 
we are forced to apply the csu substitutions on cr, and we 
need cr e |r0,|^ which essentially forces us to have a term- 
independent interpretation [3J. 

We now address the adequacy of functoriality, induction and 
coinduction. 

Lemma 6. Let n be a proof, and let X and X' be predicate 
candidates such that nlt'/x] is (a : Xf \- X' i)-reducible for any 
t. If B is a monotonic (resp. antimonotonic) operator, then 
F^ix.a.n) e \BX d BX'\ (resp. Fj^ix.a.n) e \BX' D BX\). 

Lemma 7. Let n be a proof and X a predicate candidate. If 
n[tlx\ is {a : \B\Xf h XF)-reducible for any t then 6^(Ji,x.a.n) 
is (fi : \ixB?\ h X?)-reducible for any i*. 

Lemma 8. Let n be a proof and X a predicate candidate. If 
n\tlx\ is {a : Xt \- {B\Xi)-reducible for any t, then v(J5,x.a.n) 
is (fi : X? h \vB?\)-reducible for any f . 

Proof: These lemmas must be proved simultaneously, in a 
generalized form that is detailed in Appendix I. There is no 
essential difficulty in proving the functoriality lemma, using 
previously proved adequacy properties as well as the other two 
lemmas for the fixed point cases. The next two lemmas are the 
interesting ones, since they involve using the properties of the 
fixed point interpretations to justify the (co)induction rules. In 
the case of induction, we need to establish that (5^(p, x.a.Ti) e 
xt when p e lyuBff. In order to do this, it suffices to show that 
y := t'r^ { p \ 6ft(p,x.a.n) e Xt] is included in \fiB\. This 
follows from the fact that J/ is a pre-fixed point of the operator 
(p such that \^B\ = lfpi(p), which can be proved easily using 
the adequacy property for functoriality. We proceed similarly 
for the coinduction rule, showing that 

J/ := f*i-> { ;r € SN \ n — >* v(p, x.a.ji) implies p e Xt and 
n[t lx\ is {a : Xt* h |B|A'?)-reducible for any t } 

is a post-fixed point of the operator (p such that \vB\ = gfpi<p). 
In both cases, note that the candidate J/ is a priori not the 
interpretation of any predicate; this is where we use the power 
of reducibility candidates. ■ 



Theorem 2 (Adequacy). Let = be a congruence, Mbe a pre- 
model of = and T \- n : P be a derivable judgment. Then 
ncr € \P\ for any substitution cr e |r|. 

Proof: By induction on the height of tt, using the previous 
adequacy properties. ■ 
The usual corollaries hold. Since variables belong to any 
candidate by condition (3), we can take cr to be the identity 
substitution, and obtain that any well-typed proof is strongly 
normalizable. Together with Lemma 3, this means that our 
logic is consistent. Note that the suspended computations in 
the (co)induction and equality elimination rules do not affect 
these corollaries, because they can only occur in normal forms 
of specific types. For instance, equality eUmination cannot 
hide a non-terminating computation if there is no equality 
assumption in the context. 

V. Recursive DEFEsnnoNS 

We now identify a class of rewrite rules relative to which 
we can always build a pre-model. This class supports recursive 
definitions whose use we illustrate through a sound formaliza- 
tion of a Tait- style argument. 

A. Recursive rewriting that admits a pre-model 

The essential idea behind recursive definitions is that they 
are formed gradually, following the inductive structure of one 
of their arguments, or more generally a well-founded order 
on arguments. In order to reflect this idea into a pre-model 
construction, we need to identify all the atom interpretations 
that could be involved in the interpretation of a given formula. 
This is the purpose of the next definition. 

Definition 12. We say that P may occur in Q when P - P'0, 
P' occurs in Q, and is a substitution for variables quantified 
over in Q. 

For example, (at) may occur in {a' x A 3y. ay) for any t. 

Theorem 3. Let = be a congruence defined by a rewrite 

system rewriting terms to terms and atomic propositions to 
propositions, and let M be a pre-model of . Consider the 
addition of new predicate symbols ai,...,a„ in the language, 
together with the extension of the congruence resulting from 
the addition of rewrite rules of the form a^t B. There 
is a pre-model of the extended congruence in the extended 
language, provided that the following conditions hold. 

(1) lf{ait)0 = {ai?)e', ait-^ B and a/ -v^ B', then B0 = B'ff. 

(2) There exists a well-founded order < such that aj? < (ait)Q 
whenever a^ ^ B and afl' may occur in B'B. 

Note that condition (1) is not obviously satisfied, even 
when there is a single rule per atom. Consider, for example, 
a (0 X x) a' X in a setting where x x = 0: our condition 
requires that a' x = a' y for any x and y, which is a priori 
not guaranteed. Condition (2) restricts the use of quantifiers 
but still allows useful constructions. Consider for example 
the Ackermann relation, built using a double induction on its 
first two parameters: ack x (s x) T, ack (s x) y 



ack x{sQ)y and ack {s x) (s y) z ^ 3r. ack {s x) y rAack x r z- 
The third rule requires that ack xr z< ack (s x) (s y) z for any 
X, y, z and r, which is indeed satisfied with a lexicographic 
ordering. 

Proof: We only present the main idea here; a detailed proof 
may be found in Appendix I. We first build pre-models M"' 
that are compatible with instances ajf ^ B of the new rewrite 
rules for ajt' < ait. This is done gradually following the order 
<, using a well-founded induction on a,f. We build M"'' by 
aggregating smaller pre-models M"'' for aj? < ait and adding 
the interpretation d{t. To define it, we consider rule instances 
of the form w B. If there is none we use a dummy 
interpretation: a,/ = SN. Otherwise, condition (1) imposes 
that there is essentially a single possible such rewrite modulo 
the congruence, so it suffices to choose \B\ as the interpretation 
dif to satisfy the new rewrite rules. Finally, we aggregate 
interpretations from all the pre-models M"'' to obtain a pre- 
model of the full extended congruence. ■ 
This result can be used to obtain pre-models for complex 
definition schemes, such as ones that iterate and interleave 
groups of fixed-point and recursive definitions. Consider, for 
example, a (s n) a n d a (s n). While this rewrite rule 
does not directly satisfy the conditions of Theorem 3, it can 
be rewritten into the form a (s n) fiQ. a n D Q, which does 
satisfy these conditions. 

B. An application of recursive definitions 

Our example application is the formalization of the Tait- 
style argument of strong normaUzability for the simply typed 
/l-calculus. We assume term-level sorts tm and ty corre- 
sponding to representations of /l-terms and simple types, and 
symbols t : ty, arrow : ty —> ty ty, app : tm —> tm ^ tm 
and abs : (tm tm) — > tm. We identify well-formed types 
through an inductive predicate: 

def 

isty = fiiATAt. t = c\/ SfSt". t = arrow f t" AT t' AT t") 

We assume a definition of term reduction and strong normal- 
ization, denoting the latter predicate by sn. Finally, we define 
red m t, expressing that m is a reducible A-term of type t, by 
the following rewrite rules: 

red mi sn m 

red m {arrow 1 1') 'in. red n to red (app m n) t' 

This definition satisfies the conditions of Theorem 3, taking 
as < the order induced by the subterm ordering on the second 
argument of red. We can thus safely use it. 

With these definitions, our logic allows us to mirror very 
closely the strong normalization proof presented in [12]. For 
instance, consider proving that reducible terms are strongly 
normalizing: 

VmV?. isty t d red m to sn m 

The paper proof is by induction on types, which corresponds 
in the formalization to an elimination on isty t. In the base 
case, we have to derive red m l d sn m which is simply 



an instance of P d P modulo our congruence. In the arrow 
case, we must prove red m (arrow t t') D sn m. The 
hypothesis red m (arrow t t') is congruent to Vn. red n t o 
red (app m n) t' and we can show that variables are always 
reducible,' which gives us red (app m x) t' . From there, we 
obtain sn (app m x) by induction hypothesis, from which we 
can deduce sn m with a little more work. 

The full formalization, which is too detailed to present 
here, is shown in Appendix II. It has been tested using the 
proof assistant Abella [9]. The logic that underlies Abella fea- 
tures fixed-point definitions, closed-world equality and generic 
quantification. The last notion is useful when dealing with 
binding structures, and we have employed it in our formal- 
ization although it is not available yet in our logic. Abella 
does not actually support recursive definitions. To get around 
this fact, we have entered the one we need as an inductive 
definition, and ignored the warning provided about the non- 
monotonic clause while making sure to use an unfolding of this 
inductive definition in the proof only when this is allowed for 
recursive definitions. In the future, we plan to extend Abella 
to support recursive definitions based on the theory developed 
in this paper. This would mean allowing such definitions as a 
separate class, building in a test that they satisfy the criterion 
described in Theorem 3 and properly restricting the use of 
these definitions in proofs. Such an extension is obviously 
compatible with all the current capabiUties of AbeUa and 
would support additional reasoning that is justifiably sound. 

VI. Related and Future Work 

The logical system that we have developed is obviously 
related to deduction modulo. In essence, it extends that 
system with a simple yet powerful treatment of fixed-point 
definitions. The additional power is obtained from two new 
features: fixed-point combinators and closed-world equality. 
If our focus is only on provability, the capabilities arising 
from these features may perhaps be encoded in deduction 
modulo. Dowek and Wemer provide an encoding of arithmetic 
in deduction modulo, and also show how to build pre-models 
for some more general fixed-point constructs [8]. Regarding 
equality, AUali [1] has shown that a more algorithmic version 
of equality may be defined through the congruence, which 
allows to simplify some equations by computing. Thus, it 
simulates some aspects of closed-world equality. However, 
the principle of substitutivity has to be recovered through a 
complex encoding involving inductions on the term structures. 
In any case, our concem here is not simply with provability; 
in general, we do not follow the project of deduction modulo 
to have a logic as basic as possible in which stronger systems 
are then encoded. Rather, we seek to obtain meaningful proof 
structures, whose study can reveal useful information. For 
instance, in the context of proof-search, it has been shown that 
a direct treatment of fixed-point definitions allows for stronger 
focused proof systems [3] which have served as a basis for 

' This actually has to be proved simultaneously with red m t z> sn m, but 
we ignore it for the simplicity of the presentation. 



several proof-search implementations [4], [5]. This goal also 
justifies why we do not simply use powerful systems such as 
the Calculus of Inductive Constructions [17] which obviously 
supports inductive as well as recursive definitions; here again 
we highUght the simplicity of our (co)induction rules and of 
our rich equaUty eUmination principle. 

Our logic is also related to logics of fixed-point defini- 
tions [14], [18], [22]. The system we have described represents 
an advance over these logics in that it adds to them a rewriting 
capability. As we have seen, this capability can be used to 
blend computation and deduction in natural ways and add 
support for recursive definitions — a similar support may also 
be obtained in other ways [21]. Our work also makes important 
contributions to the understanding of closed-world equality. 
We have shown that it is compatible with an equational theory 
on terms. We have, in addition, resolved some problematic 
issues related to this notion that affect the stability of finite 
proofs under reduction. This has allowed us to prove for the 
first time a strong normalizability result for logics of fixed - 
point definitions. Our calculus is, at this stage, missing a 
treatment of generic quantification present in some of the 
alternative logics [10], [11], [16]. We plan to include this 
feature in the future, and do not foresee any difficulty in doing 
so since it has typically been added in a modular fashion to 
such logics. This addition would make our logic an excellent 
choice for formahzing the meta-theory of computational and 
logical systems. 

An important topic for further investigation of our system is 
proof search. The distinction between computation and deduc- 
tion is critical for theorem proving with fixed point definitions. 
For instance, in the Tac system [5], which is based on logics 
of definitions, automated (co)inductive theorem proving relies 
heavily on ad-hoc annotations that identify computations. In 
that context, our treatment of recursive definitions seems 
like a good candidate more a more principled separation 
of computation and deduction. Finally, now that we have 
refactored equality rules to simplify the proof normalization 
process, we should study their proof search behavior The new 
equality elimination rule seems difficult to analyze at first. 
However, we hope to gain some insights from studying its use 
in settings where the old rule (which it subsumes) is practically 
satisfactory, progressively moving to newer contexts where 
it offers advantages. We note in this regard that the new 
complexity is in fact welcome: the earlier infinitely branching 
treatments of closed-world equality had a simple proof-search 
treatment in theory, but did not provide a useful handle to 
study the practical difficulties of automated theorem proving 
with complex equalities. 
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Appendix I: Proofs of Lemmas and Theorems 

A. Proof of Lemma 3 

We first observe that typed normal forms are characterized 
as usual: no introduction term is ever found as the main 
parameter of an elimination. This standard property is not 
affected by our new constructs. For example, consider the 
case of equality: S={. . . , refl, {6i.ni)i) can always be reduced 
by definition of complete sets of unifiers. The rest of the 
argument follows the usual lines: the proof cannot end with 
an elinnination, otherwise it would have to be a chain of 
eliminations terminated with a proof variable, but the context 
is empty; it also cannot end with an introduction since there 
is no introduction for ± and the congruence cannot equate it 
with another connective. 

B. Proof of Lemma 5 

All introduction rules are treated in a similar fashion: 

. If n is {a : \P\ h \Q\)- reducible, then Aa.n € \P D Q\. 
First, Aa.n is SN, like all reducible proof-terms, because 
variables belong to aU candidates, and candidates are sets 
of SN proofs. Now, assuming Za.n Aa.n', we seek 
to estabUsh that n'[n"/a] e \Q\ for any n" E By 
definition of reducibiUty, n[n"/a] belongs to \Q\, and we 
conclude by stability of candidates under reduction since 
n[n"/a] n'[n"/a]. 

• The cases for A, V and 3 are proved similarly. 

• The cases for T and equality are trivial. 

• Ifn[t/x] e |P[f/x]| for any t, then Ax.n G |Vx. P\. 
Assume Ax.n — >* Ax.n' . It must be the case that n — >* n', 
and for any f we have n[tlx\ — >* n'[t/x] by Proposition 1 
and thus n'{t/x] E |P[f/x]| as needed. 

• Ifn€ \B(j2B)ii, then ii{B,tn) G IjuB/f. 

From Definition 9, we have ljuBff = lJp(<P)(t^ = ^(\^iB\)(t^. 
Using Lemma 4, we obtain that \fiBi\ - {p & SN \ p — >* 
H{B,t,n') implies n' g |B(juB)ff }. It is now easy to see 
that n G \B{]xB)^ implies ii(B,f,n) G |//Brf: for any 
reduction //(B, Ln) ii{B,t,n') it must be the case that 
n n' and thus n' e \B{p.B)^. 

Elimination rules also follow a common scheme: 

. Ifn&\P^Q\ and n' g then nn' g \Q\. 
We proceed by induction on the strong normalizability 
of n and n". By the candidate of reducibility condition 
on neutral terms, it suffices to show that all immediate 
reducts nn' ^ n" belong to \Q\. If n" is obtained by a 
reduction inside n or n', then we conclude by induction 
hypothesis since the resulting subterm still belongs to the 
expected interpretation. Otherwise, it must be that n - 
Aa.p and the reduct is p[n'/a]. In that case we conclude 
by definition of ;r g |P d g|. 

• The cases of A, V and ± are treated similarly. 
.Ifn€ |Vx. P\, then nt g \P[t/x]\. 

We proceed by induction on the strong normalizability of 
n, considering all one-step reducts of the neutral term n t. 
Internal reductions are handled by induction hypothesis. 



If TT = Ax.n', our term may reduce at toplevel into n'{tlx\. 
In that case we conclude by definition of |Vx. P\. 
' If n & \3x. P\ and n'ltjx] is {a : h \Q\)-reducible 

for any t, then 63{n,x.a.n') G \Q\. 
We proceed by induction on the strong normaUzability of 
n and n', considering all one-step reducts. The internal re- 
ductions are handled by induction hypothesis. A toplevel 
reduction into n'\tl x'\\n" ja] may occur when n = {t,n") 
in which case we have n" g |P[f/jcJ| by hypothesis on n 
and definition of |3x. PI . We conclude by hypothesis on 
n'Ulx]. 

. If n G \te = t'e\, a G irei and n'^ff is 
(\T6i6'\ h \P6i0'\)-reducible for any i and ff, then 
6={T, e, a, t, t' , P, n, (ei.ndd g \Pe\. 

We proceed by induction on the strong normalizability 
of the subderivations n, cr and nt. In order to show 
that a neutral term belongs to a candidate, it suffices to 
consider all its one-step reducts. Reductions occurring 
inside subterms are handled by induction hypothesis. 
We may also have a toplevel redex when tO = t'6 and 
n = refl, reducing to niO'cr where is such that Oiff = 6. 
By hypothesis, niO' is QrOiO'l h IPe/e'D-reducible and 
cr G \re\ = ITOiffl, and thus we have niffa g \P0\ as 
expected. 

• The case of 6v is singular, as it follows directly from the 
definition of the interpretation of greatest fixed points. In- 
deed, we obtain exactly \vBi\ = {n\ 6y(B, t,n) e |B(vB)ft } 
by unfolding the interpretation of greatest fixed points 
Uke we did for the least fixed point case above, using 
Definition 9 and Lemma 4. 

C. Proof of Lemmas 6, 7 and 8 

Let us first introduce the following notation for conciseness: 
we say that n is (x,Xx h J/.^)-reducible when n[f/^ is (Xf \- 
J/f^-reducible for any L 

We prove the three lemmas simultaneously, generalized as 
follows for a predicate operator B of second-order arity'^ n + l, 
predicates A and predicate candidates Z: 

(1) For any (f, <Yf h <Y'f)-reducible n, F*^^{x.a.n) g \b1x d 
BtX'l 

(2) For any (f, h ^'f)-reducible n, F'^^ta.n) G \BZX' D 
BZX\. 

(3) For any (j?, \B\iX^ V ^;?)-reducible n, 5^(yS, ^.a.n) is 
(|yu(Bf)ff V ATfl-reducible. 

(4) For any (x, Xx v IBI^^Yxj-reducible n, v(J3, x.a.n) is (Xf \- 
|v(Bf)4)-reducible. 

We proceed by induction on the number of logical connectives 
in B. The purpose of the generaUzation is to keep formulas 
A out of the picture: those are potentially large but are 
treated atomically in the definition of functoriality, moreover 
they wiU be interpreted by candidates Z which may not be 
interpretations of formulas. We first prove (3) and (4) by 
relying on smaller instances of (1), then we show (1) and 

^In (1) and (2), B has type o"+' ^ o. In (3) and (4) we are considering B 
of type o" -» (f -» o) -> (f -» o). 



. . . h 6AB P,^,y):BP{v{BP))^ . . . h ^ p), ^.(-^"q^-^) : « P (v (B d B P' (v (B P)) f 
...hP:v{BP)f . . . , r : y (B P) f h (F*^^^ ^ ^^^^ p^^^^^-^^-^)) <^v(B ^, T) : « P' (v (B P)):? 

r,jg : v(B P) ^'h vQg, ■ ■ ■) : v(B PQ T 

Fig. 7. Typing functoriality for greatest fixed-points 



(2) by relying on smaller instances of all four properties but 
also instances of (3) and (4) for an operator of the same size. 

(1) We proceed by case analysis on B. When B - ApAq.qt, we 
have to estabhsh that Xx.a.n) = Afi.nYtl x\[fila\ e \Pt^ 

BA 

Pr I . It simply follows from Lemma 5 and the hypothesis 
on n. When B - ApAq.B'p where q does not occur in B', 
we have to show F^^J^x.a.n) = ^.j8 e \B'Z d B'Z\, which 
is trivial. 

In all other cases, we use the adequacy properties and 
conclude by induction hypothesis. Most cases are straight- 
forward, relying on the adequacy properties. In the im- 
plication case, i.e., B is B\ D B2, we use induction 
hypothesis (2) on Bi and (1) on B2. Let us only detail 
the least fixed point case: 

F ^ (x.a.n) = 

\q.H(BAq)r 

AB. 6n{Bj.y.u{BAP'J,F* , , (x.a.n)y)) 

By induction hypothesis (1) with B := 
ApAp„+\Aq.Bpqp„+ix, A„+\ := ix{BAP') and 
Z„+i := \iJ.(BZX')\, we have: 

F-^ix.a.n) e \BZ?((j^iBZX))xDBZX'(j^iBZX'))x\ 

We can now apply the D-elimination and /^-introduction 
principles to obtain that iJ.(BAP',x,iF^(x.a.n))y) is (y : 
\B^?((JxiBZX'M I- |yu(B£Y')^)-reducible. Finally, we 
conclude using induction hypothesis (3) with B :- 
ApApn+iAqAx. Bpp„+iqx, A„+i :— P, Z„+i := X and 
X := HBiX')\: F^^^^^^^^^^ is i\niB^X)i\ h HB^X')i\)- 
reducible. 

(2) Antimonotonicity: symmetric of monotonicity, without 
the variable case. 

(3) Induction: we seek to establish that S/^ip, x.a.n) e Xt 
when p e |/i(fiZ)4 and tt is (x, \B\ZXx \- ^Yxj-reducible. 
We shall show that |//(B^?f is included in the set of proofs 
for which this holds, by showing that (a) this set is a 
candidate and (b) it is a prefixed point of ^ such that 
\yt.{B't)^\ = lfpi<p). Let us consider 

J/ := Ti-^ { p I 6^{p, ta.n) € Xt) 

First, J/r is a candidate for any conditions (1) and 
(2) are inherited from Xt, only condition (3) is non- 
trivial. Assuming that every one-step reduct of a neutral 
derivation p belongs to J/, we prove Sfi(p,^.a.n) e XL 
This is done by induction on the strong normalizability 
of n. Using condition (3) on XK it suffices to consider 



one-step reducts: if the reduction takes place in p we 
conclude by hypothesis; if it takes place in tt we conclude 
by induction hypothesis; finally, it cannot take place at 
toplevel because p is neutral. 

We now establish that <p(if) Q J/: assuming p e 
<p{^)t, we show that 6jj(p,^.a.7:) e Xt This is done 
by induction on the strong normalizability of p and 
n, and it suffices to show that each one step reduct 
belongs to Xt, with intemal reductions handled sim- 
ply by induction hypothesis. Therefore we consider the 
case where p = fi(BA, t, n') and our derivation reduces 
to n[tl x\[F g^^^x.p.dijip, x.a.n))n' I a\. Now, recall that 
n[tlx\ is (\BZ\Xtv- A'fl-reducible. Since ii(BX,t,n') = p 6 
<pi}f)K we also have n' e \BZ}/i\. By induction hypothesis 
(1) we obtain that F ^^^j^^^^x.p.S^iJS, x.a.n)) is (|BZJ/ff h 

|BZA'/f)-reducible, since (5^(/S, x.a.n) is (x,yS : J/x h Xx)- 
reducible by definition of J/. We conclude by composing 
all that. 

(4) Coinduction is similar to induction. Let us consider 

}f -.-t^ { TT e SN I n — >* v(p, x.a.n) implies 
p&Xt and n is (f, a: X^\- |B|^<Yf)-reducible ) 

It is easy to show that J/ is a predicate candidate, and if 
we show that J/ c \v(BZ)\ we can conclude because the 
properties on p and n are preserved by reduction. 
We have |v(B^| = gfp((p), so it suffices to establish that 
J/ is a post-fixed point of (f>, or in other words that for any 
fand n e J/fJ 6y(BX,i',n) e \B\ZJ/E We do this as usual 
by induction on the strong normalizabiUty of n and the 
only interesting case to consider is the toplevel reduction, 
which can occur when n - v(p, x.a.n'). The reduct is 
F^pg^^0.l3.v(fi,^.a.n')) in'[f/^[p/a]). It does belong to 
\BZ}/i\ because: p € Xfhy definition of ;r € J/^; n'[f/^ 
is (a : Xt h IBIZYf^-reducible for the same reason; and 
finally F ^p^^^fx.fi.v{fi,x.a.n')) e \BtXt -D Bl})t[ by 
(1) since v(a,j^.a.n') is (.?;a : X^ \- J/:?)-reducible by 
definition of J/. 

D. Proof of Theorem 2 

We proceed by induction on the height of n. If tt is a 
variable, then ncr = cr{a). Thus, it belongs to |r(Qr)| by 
hypothesis, and since we are considering a pre-model of the 
congruence, and P = r(a), we have ncr e |P| . 

Other cases follow from the adequacy properties estabUshed 
previously. For instance, if n is of the form Aa.n', then 
P = Pi D P2 and |P| = |Pi D P2I. By induction hypothesis. 



tt' is (r, a : \Pi\ h |f 2l)-reducible. Equivalently, n'cr is 
i\Pi\ \- |P2l)-reducible, and we conclude using Lemma 5. In the 
case where tt = Ax.n', we need to estabUsh that each 7fcr\tjx\ 
belongs to We obtain this by induction hypothesis, 

since 7r'[//x] has the same height as n', which is smaller 
than n, and we do have r[f/x] h n'\tlx\ : P'\tlx\. Simi- 
larly, when n = 6={r ,ff ,(f ,t,t' ,P' ,n' ,{0i.ni)i), we establish 
ncr e \P'6'\ by using the induction hypothesis to obtain that 
o-'o- G ire' I, n'a- e W = fff\ and, for any ; and 0" , niO" is 
(|r'6l,-6l"| I- |P'6l,-6l"|)-reducible. 

E. Proof of Theorem 3 

We define ,^ (resp. to be the congruence resulting 

from the extension of = with rule instances ajt' B for 
aji^ < ttif (resp. Uj? < ai?). Let us also write P < a,/ (resp. 
P < Oii) when aji^ < ajf (resp. aj? < fl,f) for any aj? which 
may occur in P. We shall build a family of pre-models M"'* 
such that: 

(a) for any ait < ad', \ajt'\ , = SN; 

(b) for any P ^ ad' and ad' < a^t \P\ , = l^l 

(c) Al"'' is a pre-model of =^.f. 

We proceed by well-founded induction. Assuming that h^'^ 
is defined for all a/^ < a/, we shall thus build M"''. 

We first define M^"'' by taking each tf/^ to be the same as 
in M"'' when ajt' < a,t and SN otherwise. By this definition 
and property (b) of our pre-models, we have 



\P\ 



If I , for any P <a if and a it' < ait 



Mi' 



Next, we observe that At^"'' is a pre-model of =^.f. It suffices 
to check it separately for each rewrite rule. An instance P Q 
of a rule defining the initial congruence cannot involve the new 
predicates, so in that case we do have 



\P\ 



\p\m = \q\m = lei 



For a rule instance ajt' B with a/' < ait, the property is 
similarly inherited from M^^ p because B < ajt' by (2): 



ait' 



\B\ 



M'J' Afj' 

We finally build Ai"'' to be the same as M^"'' except for 
a,r which is defined as follows: 

• If there is no rule a,?'*' B such that t"d = t we define 
ditxo be SN. 

• Otherwise, pick any such B, and define dit to be \BQ\^^^^ ^. 

This is uniquely defined: for any other a,f' ^ B' such 
that a/= (a/)^, we have BO = B'ff by (1), and thus 
\B'ff\ , = \B0\ . since M'^"'' is a fortiori a pre-model 
of =. 

This extended pre-model satisfies (a) by construction. It is also 
simple to show that it satifies (b). To check that it verifies 
(c) we check separately each instance of a rewrite rule: by 
construction, our pre-model is compatible with instances of 
the form ajt B, and it inherits that property from M^"'' for 
other instances. 



Finally, we define our new pre-model M by taking each 
a,/ in M"''. It is a pre-model of the extended congruence: it 
is easy to check that it is compatible with all rewrite rules. 

Appendix II: Formalization of Strong Normaliz ability 

We detail below the formalization of Tait's strong nor- 
malizabiUty argument described in Section V. The full 
Abella scripts are available at http://www.Ux.polytechnique. 
fr/~dbaeldeAicsl2. 

Following the two-level reasoning methodology facilitated 
by Abella, we first define the objects and judgments of 
interest in a module file shown on Figure 8. The specification 
is given by means of hereditary Harrop clauses^. Adequate 
representations are obtained by considering uniform proofs for 
the corresponding clauses. For instance, uniform proofs of F h 
o/ M r are in bijection with typing derivations in simply typed 
/l-calculus. AbeUa allows one to reason over the specified 
objects through this representation methodology. Derivability 
is inductively defined as a builtin predicate in Abella, written 
in a concise notation: {C | - of M T} corresponds to the 
derivability of C \- of M T. More details on the methodology 
and syntax of Abella, refer to http://abella.cs.umn.edu. 

A. Preliminaries 

We first prove that steps is transitive and that it is a 
congruence. 

Theorem steps_steps : forall MNP, 
{steps M N} -> {steps N P} -> 
{steps M P}. 

Theorem steps_app_left : forall MM' N, 

{steps MM'} -> {steps (app M N) (app M' N)}. 

Theorem steps_app_right : forall MM' N, 

{steps MM'} -> {steps (app N M) (app N M')}. 

Theorem steps_app : forall MM' N N' , 
{steps MM'} -> {steps N N'} -> 
{steps (app M N) (app M' N')}. 

Theorem steps_abs : forall MM', nabla x, 
{steps (M x) CM' x)} -> 
{steps (abs M) Cabs M')}. 

Next, we define open terms, which cannot be done at the 
specification level like, for example, the definition of isty. 
We prove a few basic properties of open terms. 

Define isotm : tm -> prop by 
nabla x, isotm x ; 

isotm Capp M N) := isotm M /\ isotm N ; 
isotm Cabs M) := nabla x, isotm CM x) . 

Theorem isotm_subst : forall M N, nabla x, 

'These clauses also define a iProlog, which gives a way to execute them 
directly. 



isty iota. 

isty (arrow T T') :- isty T, isty T' . 

istm (app M N) :- istm M, istm N. 

istm (abs M) :- pi x\ istm x => istm (M x) . 

of (app M N) T' :- of N T, of M (arrow T T'). 
of (abs M) (arrow T T') :- 

isty T, pi x\ of X T => of (M x) T' . 



step (app (abs M) N) (M N) . 

step (app M N) (app M' N) :- step MM'. 

step (app M N) (app M N') :- step N N' . 

step (abs M) (abs M') :- pi x\ step (M x) (M' x) . 

steps M M. 

steps M N :- step MM', steps M' N. 

subst (app M N) (app M' N') :- 

subst MM', subst N N' . 
subst (abs M) (abs M') :- 

pi x\ pi y\ subst x y => subst (M x) (M' y) . 



Fig. 8. Module file for the Abella formalization 



isotm (M x) -> isotm N -> isotm (M N) . 

Theorem isotm_step : forall MM', 
isotm M -> {step MM'} -> isotm M' . 



simultaneously that variables are reducible, which requires a 
generalization to showing that x Ni .. .N^ is reducible when 

the A^; are SN. 



Theorem step_osubst_steps : forall M N N' , nabla x, 
isotm (M x) -> {step N N'} -> {steps (M N) (M N')} 

B. Strong normalizability 

We define strong normahzability and prove some basic 
properties about it. 



Define vargen : tm -> prop by 
nabla x, vargen x ; 



Define sn : tm -> prop by 

sn M := forall N, {step M N} -> sn N. 

Theorem var_sn : nabla x, sn x. 

Theorem sn_step_sn : forall M N, 
sn M -> {step M N} -> sn N. 

Theorem sn_preserve : forall M, nabla x, 
sn (app M x) -> sn M. 

Theorem sn_app : forall M N, 
sn M -> sn N -> 

(forall M', {steps M (abs M')} -> false) -> 
sn (app M N) . 

C. Reducibility 

We now give the definition of reducibility. AbeUa issues a 
warning here, because the definition is not monotone, and is 
thus not formally supported by its underlying theory. However, 
as explained in Section V, this recursive definition can be 
justified as rewrite rules in our framework. Below, it is always 
going to be used following this interpretation. 

Define red : tm -> ty -> prop by 
red M iota := sn M ; 
red M (arrow T T') := forall N, 

isotm N -> red N T -> red (app M N) T' . 

We now prove the three conditions defining candidates of 
reducibility. We first show that reducible terms are SN, and 



vargen (app M N) := vargen M /\ sn N. 



Theorem vargen_step_vargen : forall M N, 
vargen M -> {step M N} -> vargen N. 



Theorem vargen_steps_noabs : forall MM', 
vargen M -> {steps M (abs M')} -> false. 



Theorem vargen_sn 



forall M, vargen M -> sn M. 
forall M T, 



Theorem red_sn_gen 
{isty T} -> 

(red M T -> sn M) /\ (vargen M -> red M T) . 

Theorem var_red : forall T, nabla x, 
{isty T} -> red x T. 

Theorem red_sn : forall M T, 
{isty T} -> red M T -> sn M. 

The second condition is that reducts remain in reducibiUty 

sets. 

Theorem red_step : forall MM' T, 

{isty T} -> red M T -> {step MM'} -> 
red M' T. 

Theorem red_steps : forall MM' T, 

{isty T} -> red M T -> {steps MM'} -> 
red M' T. 

Finally, if all one-step reducts of a neutral term are in a 
set, then so is the term. We only prove it for neutral terms 
which are applications. Here, the inner induction is taken Ciire 

of using an auxiliary lemma. 

Theorem cr3_aux : forall Ml M2 N Tl T' , 



{isty Tl} -> sn N -> isotm N -> red N Tl -> 
(forall Ml M2, 
(forall M' , 

{step (app Ml M2) M'} -> red M' T') -> 
red (app Ml M2) T') -> 
(forall M' , 

{step (app Ml M2) M'} -> 
red M' (arrow Tl T')) -> 
red (app (app Ml M2) N) T' . 

Theorem red_anti : forall M N T, 
{isty T} -> 
(forall M' , 

{step (app M N) M'} -> red M' T) -> 
red (app M N) T. 

D. Contexts 

We characterize the contexts used in derivations of of M T 
and subst M T that are involved in the proof of adequacy. We 
also define separately their relationship, using mapctx. This 
approach requires a fair number of book-keeping lemmas. 

Define name : tm -> prop by nabla x, name x. 

Define ofctx : olist -> prop by 
ofctx nil ; 

nabla x, ofctx (of x T :: Q := 
{isty T} A ofctx C. 

Define substctx : olist -> prop by 
substctx nil ; 

nabla x, substctx (subst x (M x) :: C) := 
nabla x, isotm (M x) A substctx C. 

Define mapctx : olist -> olist -> prop by 
mapctx nil nil ; 
nabla x, 

mapctx (of X T :: C) (subst x (M x) :: C) 

nabla x, 

{isty T} A isotm (M x) A 
red (M x) T A mapctx C C ' . 

Theorem ofctx_member_isty : forall C T, 
ofctx C -> member (isty T) C -> false. 

Theorem isty_weaken : forall C T, 

ofctx C -> {C I- isty T} -> {isty T}. 

Theorem ofctx_member_isty : forall C M T, 
ofctx C -> member (of M T) C -> {isty T}. 

Theorem of_isty : forall C M T, 

ofctx C -> {C I- of M T} -> {isty T}. 

Theorem mapctx_of : forall G G' M T, 



mapctx G G' -> member (of M T) G -> 
name M /\ 

exists M', red M' T /\ member (subst M M') G' . 

Theorem mapctx_subst : forall G G' MM', 
mapctx G G' -> member (subst MM') G' -> 
name M /\ 

exists T, red M' T A member (of M T) G. 

Theorem mapctx_split : forall C C , 
mapctx C C -> ofctx C A substctx C . 

Theorem ofctx_member_name : forall C M T, 
ofctx C -> member (of M T) C -> name M. 

Theorem of_isotm : forall C M T, 

ofctx C -> { C I- of M T } -> isotm M. 

Theorem substctx_member : forall C M M' , 
substctx C -> member (subst M M') C -> 
name M A isotm M' . 

Theorem subst_isotm : forall C M M' , 

substctx C -> isotm M -> { C |- subst M M' } -> 
isotm M' . 

Theorem member_not_fresh : 
forall X L, nabla (n:tm), 
member (X n) L -> exists X' , X = n\X' . 

Theorem substctx_member_unique_aux : 
forall C M M' , nabla x, 
substctx (C x) -> 
member (subst x (M x)) (C x) -> 
member (subst x (M' x)) (C x) -> 
M = M' . 

Theorem substctx_member_unique : forall C X M M' , 
substctx C -> 
member (subst X M) C -> 
{C I- subst X M'} -> M = M' . 



E. Adequacy theorem 

Theorem abs_case : forall M N T' , nabla x, 
isotm (M x) -> {isty T'} -> 
sn (M x) -> sn N -> 
red (M N) T' -> 
red (app (abs M) N) T' . 

Theorem of_red : forall MM' T C C, 
mapctx C C' -> 
{ C I- of M T } -> 
{ C I- subst M M' } -> 
red M' T. 



To apply the adequacy result and obtain strong normal- 
izability, it only remains to show that for any typed term 
we can define the identity substitution with which we have 
{ C I - subst MM}, from which red M T and sn M fol- 
low. 



